projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 374fa8e8 | 1 | #!/bin/bash |
| 1b6f9b98 | 2 | # SPDX-License-Identifier: LGPL-2.1-or-later |
| 2d1d0a6c | 3 | set -e |
| 1b6f9b98 | 4 | |
| 1ad84c9a DDM |
5 | if [ -n "$SANITIZERS" ]; then |
| 6 | LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') | |
| 01a07564 | 7 | |
| 1ad84c9a | 8 | mkdir -p /etc/systemd/system.conf.d |
| 01a07564 | 9 | |
| 1ad84c9a | 10 | cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF |
| 01a07564 DDM |
11 | [Manager] |
| 12 | ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ | |
| 13 | UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ | |
| 14 | LD_PRELOAD=$LD_PRELOAD | |
| 15 | DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ | |
| 16 | UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ | |
| 17 | LD_PRELOAD=$LD_PRELOAD | |
| 5a4327d1 DDM |
18 | EOF |
| 19 | ||
| 1ad84c9a DDM |
20 | # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose |
| 21 | # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any | |
| 22 | # sanitizer failures appear directly on the user's console. | |
| 23 | mkdir -p /etc/systemd/system/systemd-journald.service.d | |
| 24 | cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF | |
| 01a07564 DDM |
25 | [Service] |
| 26 | StandardOutput=tty | |
| 27 | EOF | |
| 28 | ||
| 1ad84c9a DDM |
29 | # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. |
| 30 | # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As | |
| 31 | # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login | |
| 32 | # from calling vhangup() so that journald's ASAN logs correctly end up in the console. | |
| 01a07564 | 33 | |
| 1ad84c9a DDM |
34 | mkdir -p /etc/systemd/system/console-getty.service.d |
| 35 | cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF | |
| 01a07564 DDM |
36 | [Service] |
| 37 | TTYVHangup=no | |
| 38 | CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG | |
| 39 | EOF | |
| 1ad84c9a DDM |
40 | # ASAN and syscall filters aren't compatible with each other. |
| 41 | find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + | |
| 69d638e6 | 42 | |
| 1ad84c9a DDM |
43 | # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. |
| 44 | systemctl mask systemd-hwdb-update.service | |
| 45 | fi | |
| 37d35150 | 46 | |
| fe424384 | 47 | if command -v authselect >/dev/null; then |
| 166bcaf9 DDM |
48 | # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so |
| 49 | # let's use the new name if it exists. | |
| 50 | if [ -d /usr/share/authselect/default/local ]; then | |
| 51 | PROFILE=local | |
| 52 | else | |
| 53 | PROFILE=minimal | |
| 54 | fi | |
| 55 | ||
| 56 | authselect select "$PROFILE" | |
| fe424384 | 57 | |
| 166bcaf9 | 58 | if authselect list-features "$PROFILE" | grep -q "with-homed"; then |
| fe424384 DDM |
59 | authselect enable-feature with-homed |
| 60 | fi | |
| 61 | fi | |
| 7cd64af5 | 62 | |
| b57e7522 DDM |
63 | # Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that |
| 64 | # if that's the case. | |
| 65 | mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf | |
| 7cd64af5 | 66 | rm -f /etc/resolv.conf |
| d052cc88 | 67 | |
| 374fa8e8 FS |
68 | # sbsign is not available on CentOS Stream |
| 69 | if command -v sbsign &>/dev/null; then | |
| 70 | # Ensure that side-loaded PE addons are loaded if signed, and ignored if not | |
| 71 | addons_dir=/efi/loader/addons | |
| 72 | mkdir -p "$addons_dir" | |
| 73 | ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" | |
| 74 | ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" | |
| 75 | fi |